Connecting with WIPO

In the Courts: Pursuing the P2P Pirates – Balancing Copyright and Privacy Rights

April 2008

How can P2P users be prevented from sharing what is not their's to share? (Photos.com)

By Professor Ramón Casas Vallés

A landmark ruling by the European Court of Justice in January sparked a rash of headlines, many presenting the verdict as a victory for Internet access providers over demands by record companies to disclose the identities of copyright-infringing file sharers. In reality, the judgment – aimed at guiding national legislators in their implementation of EU law – cut several ways. The following account was written for WIPO Magazine by Professor Ramón Casas Vallés, an expert in copyright law at the University of Barcelona, Spain.

Exchanging – or sharing – files on peer-to-peer (P2P) networks is now a widespread practice. Via increasingly decentralized technological platforms, users can take what they need from other users’ computers, while making available the contents of their own shared folder. It would be a delightful model of cooperation and generosity… were it not for the detail that, as often as not, what they are sharing actually belongs to someone else.

Except when exchanging material which is not copyright protected, or doing so with the rights owner’s authorization, P2P file sharing entails copyright infringement of colossal proportions. It affects not only the right to reproduce a work, but also the right to make it available to the public. It is not covered by any limitation or exception to copyright. Nor could the reproduced files be considered private copies, since they are intended for collective consumption. The effects are suffered by small businesses as much as large ones – and simply to blame their business models seems a cynical excuse.

Who is liable?

In considering legal action, the rights owners have before them three distinct groups who might be seen as responsible.

First, those who create and distribute the file sharing programs. But, in itself, this technology is neutral, with both positive and negative applications. Anyone who simply makes and distributes P2P programs - without promoting their use for infringing acts - is not committing any infringement. (In this regard, the US Supreme Court ruling of June 27, 2005 found against Grokster because it explicitly encouraged copyright infringement by the users of its P2P services.)

The second group consists of the various Internet service providers (ISPs) which provide access to the network. These are the major beneficiaries of the P2P phenomenon – to the extent that, in some countries, the expansion of broadband services has gone hand in hand with P2P traffic. Yet be that as it may, the fact of facilitating such services does not constitute copyright infringement.

This leaves the third group: the P2P users themselves. Here, there can be no doubt. In the absence of authorization from the rights holders, the users are undeniably breaking copyright law. But how can these users be identified in order to bring legal action against them? The short answer is through subscriber data held by their ISPs. This, then, was the starting point of the Promusicae vs. Telefónica case in Spain, which led to the landmark ruling by the European Court of Justice (ECJ) on January 291 this year.

Promusicae vs. Telefónica

Promusicae is a Spanish association of producers of music and audiovisual recordings. In 2005,the group applied to the Spanish courts for an order to oblige the ISP Telefónica to disclose the names and physical addresses of a number of its subscribers, who were allegedly using P2P programs to distribute copyrighted music on a massive scale. The individuals could be identified through their Internet protocol number plus connection dates and times. Under Spanish law, Telefónica, as an access provider, is obliged to retain and make available such connection and traffic data “for use in the context of a criminal investigation or for reasons of public security and national defense.” (Article 12 of the Law on information society services and electronic commerce – LSSI.)

The Madrid Court ordered Telefónica to hand over the information. Telefónica,however, objected on the grounds that Promusicae had brought the case in the context of commencing civil, not criminal, proceedings.

So why didn’t Promusicae go down the criminal proceedings route? Simply because, in Spain, the infringement of copyright and related rights is only deemed a crime when carried out for a “profit motive,” and, for the moment at least, the Attorney General’s Office and the courts agree that this implies seeking commercial gain. Thus, using P2P file sharing networks to obtain for free something which has a price in the market place, would not imply a profit motive as such – despite the fact that it may save the user a considerable amount of money.

Conformity with EU Directives

The Spanish law underpinning Telefónica’s refusal derived directly from European Union (EU) law. The Spanish court therefore decided to seek a preliminary ruling from the ECJ. The court’s concerns centered on whether Article 12 of the LSSI (above) was in conformity with the legal principles enshrined in certain EU laws, namely the Charter of Fundamental Rights; Directive 2000/31 on electronic commerce in the Internal Market; Directive 2001/29 on copyright and related rights in the information society; and Directive 2004/48 on the enforcement of intellectual property rights. Should, the court asked, these EU laws be interpreted to mean that member states should oblige ISPs to disclose connection and data traffic also in civil cases of copyright infringement?

The Directives cited by the Spanish court are intended to ensure the effective protection of intellectual property, but without prejudice to laws covering the protection of confidentiality and handling of personal data. For this reason, the ECJ responded, these Directives “do not require member states to lay down…an obligation to disclose personal data in civil proceedings.” Neither does the Charter of Fundamental Rights, which provides for legal protection both of property and of personal data and privacy.

However, the ECJ judgment also referred to another EU law, not cited by the Spanish court: Directive 2002/58 on the protection of personal data and privacy in electronic communications. This enabled the ECJ to make clear a point that, interestingly, was omitted from much of the news coverage of this case. Namely, that it is equally entirely consistent with EU law for national legislators to decide to impose on access providers an obligation to disclose connection and traffic data in civil cases.

Striking a balance

As the ancient Greeks knew well, consulting the Oracle at Delphi was never a simple matter. The question had to be worded carefully and the Oracle’s response was often cryptic. The interpretations handed down by the ECJ, while less enigmatic, still sometimes need reading between the lines. The ECJ reply to the Spanish court opens with a categorical statement: in civil proceedings, the EU Directives do not require member states to oblige ISPs to disclose personal data for copyright protection. But it goes on to add a significant warning: when transposing EU Directives into national laws, member states must ensure a judicious balance between all the different fundamental rights protected by the Community legal order.

The final decision of the Spanish court is still pending. If it finds against Promusicae, it will then be for the legislators to consider whether the current legal provisions achieve the required balance.